After a recent data breach where an adversary successfully exfiltrated sensitive data, the incident response team has completed the containment and eradication stages. Which action would BEST equip the team to perform root cause analysis and determine the original vulnerability exploited?
Initiating a campaign to re-educate all users about phishing and social engineering
Conducting a thorough analysis of security logs for signs of initial compromise
Scheduling a complete review of all organizational security policies and procedures
Running a comprehensive vulnerability scan on all networked systems
Conducting a thorough analysis of the security logs, especially around the time of the breach, will likely reveal the sequence of events that led to the breach, including the initial point of entry and methods used by the attacker. This detailed trail is indispensable for pinpointing the original vulnerability or misconfiguration that the attacker exploited. Simply running a vulnerability scan might identify potential vulnerabilities but would not confirm which were actually exploited. Organizational policy review and user education, while important, are less likely to directly lead to the discovery of the specific exploited vulnerability.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why are security logs critical for root cause analysis after a breach?
Open an interactive chat with Bash
How do security logs differ from vulnerability scans?
Open an interactive chat with Bash
What tools can be used to analyze security logs effectively?